SC EEPROM Info

SC EEPROM from fat consoles is a custom/proprietary EEPROM chip that uses a special non standard commands to read/write from EEPROM.
We are so lucky that Sony had exposed EEROM chip legs out of Syscon, so we have a physical access to it and we could attach devices like "Logic Analyzer", "Protocol Analyzer", "Custom made MCU boards" to capture traffic between console and Syscon EEPROM.

For FAT console Syscon EEPROM consists of: 0x4000 blocks, and every block is consists of 2 bytes of data.
So the total EEPROM size is: 0x8000 byte length.

And since the pin-out of Syscon chip for Slim & Super Slim consoles is not known till now, we can not be sure if the Syscon EEPROM pins are exposed outside or not so we can access it like in FAT console without handling Syscon it self.

SC EEPROM Commands

FAT console's SC EEPROM used a standard SPI protocol with a proprietary commands as flow:

Description

Command

Note

Unlock Command

0xA3 0x00 0x00

This command must be send first before write command.

Write Command

0xA4 0xXX 0xXX

XX XX is a block id to be written (value 0x0000 to 0x3FFF), the maximum data to be written in one command cycle is 32 byte length (16 blocks).

Read Command

0xA8 0xXX 0xXX

XX XX is a block id to be read (value 0x0000 to 0x3FFF), there is no maximum limit for read command so we can send it once with block id 0x00 0x00 then read the full EEPROM at once without sending read command again.

Check Status Command

0xA9 0x00 0x00 0x00

The response of this command is 0xFFFFFFFF if there is no error, or any other value if there is error happened or EEPROM still busy doing something.

Conclusion

different key for a different authenticated region.

sony uses either aes 128-cbc or aes 256-cbc (most likely 128-cbc)

sony does this weird cbc crypto in which they only decrypt portions of 0x10 bytes of the region, then increment or decrement (most likely increment) iv, and then decrypt again. i've decided to call it ctr-cbc

most likely the keys used are session perconsole keys.

most likely the iv used starts with 00, then gets incremented by 1 for each 0x10 bytes

Acknowledgements

Zer0Tolerance for the crypto findings

flatz for his awesome syscon tool

Dumping your SC EEPROM

Linux

First you need graf_chokolo kernel ps3dm-utils and linux_hv_scripts.

If you are ready.

Patch DM using linux_hv_scripts

dmpatch.sh

Read the data from the region you want for example (see tables above)

ps3dm_scm /dev/ps3dmproxy 0x48000 0xFF

You can see some coolstuff that containing dumps

Hashes

Where exactly the hashes are stored is still a secret, it is said that those hashes are stored in SC EEPROM

To retrieve the information about the packages you have installed you can also use ps3d_utils

I had build my own Syscon EEPROM flasher based on open source hardware "Arduino Mega" and some resistors.

This flasher will allow you fully read/write to your Syscon EEPROM (FAT consoles only till now).

You need

1) PS3 motherboard. I had used SEM-0001 board by desoldering Syscon chip form it but you can use, DIA-001 for example without desoldering Syscon chip since all eeprom pins had a test points in the board it self.